Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1552
Views
0
Helpful
2
Replies

WSA IP spoofing with WCCP redirect using an ASA

Go to solution
kevin.somers
Level 1
Level 1

‎12-10-2015 01:35 PM

I am trying to resolve an issue I am seeing with a new installation of a WSA (8.5) and an ASA (9.5.1) running FireSIGHT (5.4.1.4).  The WSA, ASA, and FireSIGHT are all operating correctly, but in reviewing the Malware File Trajectory, the only internal device displayed is the WSA.  The trajectory, I'm assuming, can't be traced back to the end-host since the WCCP must take place prior to the redirection to FireSIGHT.  All HTTP and HTTPS traffic then appear to be coming from the WSA.  I'm hoping IP spoofing on the WSA will provide the correct end-host IP in the trajectory.

If anyone could share the configuration on the ASA using the two WCCP configurations required for IP spoofing on the WSA, I would appreciate it.  All the configurations I have found online relate to using an IOS router.

Or is this not possible?  The ASA seems to only support ingress WCCP.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tom Foucha
Cisco Employee
Cisco Employee

‎12-11-2015 06:51 AM

You are correct ASA does not support IP Spoofing for WCCP. If you can read XFF headers then WSA can insert the client IP into the XFF header.

http://www.cisco.com/c/en/us/td/docs/security/asa/special/wccp/guide/asa-wccp.html

Unsupported Features

  • Multiple routers in a service group.
  • Multicast WCCP.
  • The Layer 2 redirect method.
  • WCCP source address spoofing.
  • WAAS devices.
  • AAA for network access does not work in combination with WCCP.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Tom Foucha
Cisco Employee
Cisco Employee

‎12-11-2015 06:51 AM

You are correct ASA does not support IP Spoofing for WCCP. If you can read XFF headers then WSA can insert the client IP into the XFF header.

http://www.cisco.com/c/en/us/td/docs/security/asa/special/wccp/guide/asa-wccp.html

Unsupported Features

  • Multiple routers in a service group.
  • Multicast WCCP.
  • The Layer 2 redirect method.
  • WCCP source address spoofing.
  • WAAS devices.
  • AAA for network access does not work in combination with WCCP.
0 Helpful

Go to solution
kevin.somers
Level 1
Level 1
In response to Tom Foucha

‎12-11-2015 08:10 AM

Tommy,  

Thank you!  That was the documentation I was looking for.  Cisco should consider adding that little tidbit to the WSA User Guide ;)

0 Helpful
Customers Also Viewed These Support Documents